2016 Postmortem
Related: About this forumTime for Damage Control. A full independent audit of DNC security protocol and access logs.
A full independent audit of the DNC security protocol and access logs is needed.
This should be immediate since server logs are simple files to manipulate.
It should cover the past year, at least. This was not the first time security was compromised.
The vendor needs to be replaced at the very least. Your local elementary school has better security protocol. This is unexcusable for the vendor.
All sides - the DNC staff, Bernie's staff and that of the other campaigns - need to fire those involved.
The DNC has disgraced our party and we need to take the appropriate action and hold people accountable.
irisblue
(32,982 posts)peacebird
(14,195 posts)To audit the files. That is unacceptable.
tecelote
(5,122 posts)An independent audit going back at least a year.
We don't know who else accessed the files or for how long this security breach existed.
madokie
(51,076 posts)Bad.
JaneyVee
(19,877 posts)NOT GOOD.
There's one breach. How many more?
We need to audit the files soon and over a significant period. Server files are easily manipulated.
It's for the good of the whole party. Who else accessed files they shouldn't have access to? This wasn't the first breach.
randome
(34,845 posts)No one needs to second-guess every software system in use by the DNC. The level of ridiculousness on this site since yesterday has gone from 0 to 120 in mere moments.
[hr][font color="blue"][center]All things in moderation, including moderation.[/center][/font][hr]
tecelote
(5,122 posts)You are correct. A serious data breach is exposed and you want to punish Bernie but not the people that caused the problem.
It's a two way street. Action needs to be taken.
Our data, your data, was unsecure through poor protocol - more than once. It's not a Bernie/Hillary thing. This is serious.
randome
(34,845 posts)Data is unsecured all the time. The DNC should force the vendor to fix the problem but I've worked in enough corporations over the past 3 decades to know that there are glaring holes everywhere, some that never get fixed.
To pretend like the DNC should be more perfect than any other corporation that has the same weaknesses is ridiculous. Yes, they should fix the breech. Yes, the Sanders campaign illegally accessed data. Yes, the DNC leans more toward the Democratic candidate than the Independent.
Big. Deal.
[hr][font color="blue"][center]All things in moderation, including moderation.[/center][/font][hr]
tecelote
(5,122 posts)It is not rocket science and yes, hackers do win sometimes, but this is not the case.
Security of personal data is very serious.
randome
(34,845 posts)If it's as straight-forward as you imply, we would not have hundreds of data breeches every month for major corporations who certainly have the money and the resources to prevent it from happening.
The truth is, this kind of stuff happens all the time because the systems in place are far more complex than they need to be.
That being said, of course the DNC should take whatever steps are needed to, if not close, then to make the security holes a lot smaller. But it has happened in the past and it will happen in the future. It's the nature of this crazy quilt data environment we have created.
I simply find it amusing that the DNC now needs to be micro-managed by everyone else who simply knows that they are incompetent.
[hr][font color="blue"][center]All things in moderation, including moderation.[/center][/font][hr]
tecelote
(5,122 posts)I too have worked with many companies and have never had a data breach allowing access to personal information.
Higher standards are required here. Sorry, just my opinion. Not trying to micro-manage. 'Just trying to get our party to respect our data as they should.
It's true. Being quite is not one of my virtues.
ljm2002
(10,751 posts)...to wit: "No one needs to second-guess every software system in use by the DNC."
Actually we are talking about one specific software system in use by the DNC. Since the slipshod security of that system has been exposed, quite publicly thanks to DWS, it is of interest to all of us how the situation is resolved. The best way to proceed would indeed be an independent investigation, otherwise it will be difficult to restore trust in the system.
randome
(34,845 posts)I don't have trust in any software system because they have too many integration problems and are far too complex, as a result.
Corporations lose data every day. I don't hear anyone calling for independent investigations, just an acknowledgement that they will work to secure that particular security hole until the next one crops up.
[hr][font color="blue"][center]All things in moderation, including moderation.[/center][/font][hr]
ljm2002
(10,751 posts)We're not discussing your personal trust in the DNC's software systems, we are discussing one specific failure that the company had been notified about previously.
I have worked with many software systems, and the kind of breach we are discussing is preventable. Especially if the vendor's initial story is true -- they claimed they had to open up the "firewall" (I suspect it is really a system of access permissions, rather than strictly speaking a firewall) in order to apply a patch to the software. They chose to leave the software running and let everyone keep accessing it. D'oh. Just do it off hours, notify there will be a brief outage, and take the system offline while applying the patch. Then bring it back up, check all the permissions (the "firewall" aspect), and again allow access once tests have been passed. Not hard, not hard at all.
6chars
(3,967 posts)tecelote
(5,122 posts)An act of an honest man.
JaneyVee
(19,877 posts)yodermon
(6,143 posts)If a breach has been a recurring issue, we need to see ALL logs during those time periods. Or at least they need to be independently examined. Who knows whose data may have been breached by anyone? Selective log file releases paint a very narrow picture.
Erich Bloodaxe BSN
(14,733 posts)First, the very fact that their 'firewalls' could be so easily turned on and off tells me they've got lousy code and crappy DB permissions.
Second, the fact that as soon as Sanders' lawyer said 'We'll get discovery and see what the DNC personnel are saying in their internal emails about supporting candidates', the DNC falls all over itself to restore Sanders' campaign access, tells me that DWS knows that she and her cronies have said things in emails that show what they've been up to. I'm guessing they'll be spending some time now deleting old emails and scrubbing drives, just to make sure that can't happen in the future.
demwing
(16,916 posts)discovery is still requested
Erich Bloodaxe BSN
(14,733 posts)Ie, Sanders was suing for access to the DB, now he has access again, therefore there's no 'goal' left?
demwing
(16,916 posts)Here's the complaint:
https://berniesanders.com/wp-content/uploads/2015/12/Bernie2016vDNCComplaint.pdf
Pay particular attention to pages 9-11
moobu2
(4,822 posts)tecelote
(5,122 posts)It should be done internally but transparent to the campaigns only.
This never should have been brought to the media in the first place. I do have to wonder why the DNC did that?
DanTex
(20,709 posts)The DNC made a mistake in their security protocol. But the only unethical behavior here was on the part of Bernie's campaign staff. A mistake is different from an intentional act of thievery.
tecelote
(5,122 posts)But we don't know who else accessed the data at the same time. And, this isn't the first time we had a security mistake.
How can you defend not investigating this?
Plus, this should never have gone to the media. But, it did. So, steps must be taken to ensure Americans that their data is safe.
DanTex
(20,709 posts)rather than Bernie's that was doing the stealing, and the DNC decided to not say anything about out, the same people would now be yelling coverup.
tecelote
(5,122 posts)BTW - They didn't steal anything.
"In a statement, NGP VAN said that unauthorized users were not able to export, save or act on unauthorized information"